#!/bin/bash
# CITATION: http://apple.stackexchange.com/questions/146849/how-do-i-recompile-bash-to-avoid-shellshock-the-remote-exploit-cve-2014-6271-an
function hdr() {
    echo
    echo "# ================================================================"
    echo "# $*"
    echo "# ================================================================"
}

hdr "bash shellshock fix for Mac OS X 10.9.5"

hdr "Verify the OS version"
SWVER=$(sw_vers -productVersion)
if [[ "${SWVER}" != "10.9.5" ]] ; then
    echo "ERROR: This script has only been tested on Mac OS X 10.9.5, cannot continue."
    exit 1
fi

hdr "Verify that xcode command line tools are installed."
pkgutil --pkg-info=com.apple.pkg.CLTools_Executables
st=$?
if (( $st )) ; then
    echo "ERROR: This script requires xcode, cannot continue."
    exit 1
fi

if [ ! -f downloads/bash-92.tar.gz ] ; then
    hdr "Downloading bash-92.tar.gz"
    if [ ! -d downloads ] ; then
	mkdir downloads
    fi
    pushd downloads
    wget --no-check-certificate https://opensource.apple.com/tarballs/bash/bash-92.tar.gz
    popd
    if [ -d bash-92 ] ; then
        sudo rm -rf bash-92
    fi
fi

if [ ! -f downloads/bash32-052 ] ; then
    hdr "Downloading bash32-052"
    if [ ! -d downloads ] ; then
	mkdir downloads
    fi
    pushd downloads
    wget --no-check-certificate https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-052
    popd
    if [ -d bash-92 ] ; then
        sudo rm -rf bash-92
    fi
fi

if [ ! -f downloads/bash32-053.patch ] ; then
    hdr "Downloading bash32-053.patch"
    if [ ! -d downloads ] ; then
	mkdir downloads
    fi
    pushd downloads
    wget --no-check-certificate http://alblue.bandlem.com/bash32-053.patch
    popd
    if [ -d bash-92 ] ; then
        sudo rm -rf bash-92
    fi
fi

if [ ! -d bash-92 ] ; then
    hdr "Patch and build"
    tar jxf downloads/bash-92.tar.gz
    cd bash-92/bash-3.2
    ls -l ../../downloads
    patch -p0 <../../downloads/bash32-052
    patch -p0 <../../downloads/bash32-053.patch
    cd ..
    sudo xcodebuild
fi

if [ ! -f /bin/bash-3.2.51 ] ; then
    hdr "Install bash"
    sudo cp /bin/bash /bin/bash-3.2.51
    sudo cp bash-92/build/Release/bash /bin/bash-3.2.53
    sudo cp bash-92/build/Release/bash /bin/bash
    sudo chmod -x /bin/bash-3.2.51
fi

if [ ! -f /bin/sh-3.2.51 ] ; then
    hdr "Install sh"
    sudo cp /bin/sh /bin/sh-3.2.51
    sudo cp bash-92/build/Release/bash /bin/sh-3.2.53
    sudo cp bash-92/build/Release/sh /bin/sh
    sudo chmod -x /bin/sh-3.2.51
fi

hdr "Verify"
which bash
bash --version
cat <<EOF

Expected output:

    bash: warning: x: ignoring function definition attempt
    bash: error importing function definition for 'x'
    bash: shellshock test

EOF
env x='() { :;}; echo vulnerable' bash -c "echo bash: shellshock test"

hdr "Done"